The US Military Can’t Just “Hire” Cyber Expertise. Here’s Why.

In a recent MWI article, Butch Bracknell rightly acknowledged the many “gallons of ink spilled” over the subject of how to bring skilled cyber specialists does into the military. He concludes that challenges associated with recruiting such specialists to serve in uniform can be sidestepped by simply not having most of them serve in uniform at all. And while he accurately addresses three main reasons why certain military tasks are assigned to uniformed members of the armed services (mainly to distinguish their roles in combat zones), his view that cyberspace operations need not be among such tasks is undermined by the convergence between cyber, electronic warfare, intelligence, and signal disciplines. And the example he uses as a model for how cyber expertise might be “hired”—the Marine Band—is too fundamentally different from the military’s cyber needs to be deeply useful.

In short, while strategic cyberspace operations will continue to provide support to combatant commanders, many cyber warriors of the future will need to be deployed forward, and will even be within range of enemy artillery and possibly direct fire.

How close do you need to be to a target to gain access? This battlefield geography changes depending on whether or not the target in question is networked, and what the network topography looks like. A closed network with fiber optic links requires a different level of physical proximity than a closed network using mesh radios as a data link solution, which requires a different level yet than an open network using a commercial ISP backbone. This problem of access inevitably creates some situations in which we will require cyber soldiers who can perform the basic tasks of camouflaging themselves and their equipment, conducting verbal communications over a radio, and engaging targets with an individual or crew-served weapon system as part of a break contact drill. It is possible to make this same argument for a Sailor on a ship, or an Airman working as part of an aircrew in support of a joint force conducting combat operations.

Bracknell and I don’t disagree fundamentally, but rather as a matter of degree. He stops short of saying that no cyber warriors at all will need to be in uniform. Likewise, I don’t suggest that all will need to have these basic military skills. There will always be a need for strategic support from geographic locations inside the United States that can be filled by someone not in uniform much of the time. Even if it is deemed preferable to have certain of these jobs done by uniformed service members, the civilians we are actively recruiting as direct commission officers for the US Army cyber branch can partially fill the very real needs of these US-based units currently supporting the joint force.

But the cyberspace operations needs of military commanders across all forces extends well beyond strategic support to the joint community. Logisticians require cyberspace expertise to identify supply chain attacks on hardware, including replacement parts and commercial, off-the-shelf IT equipment. Maintainers require cyber expertise to evaluate firmware updates to sensors, communications equipment, and weapons systems. Communicators and signalers require cyber expertise to design and build tactical networks which are robust and segregated by functions to mitigate the effects of a security breech.

Bracknell uses the US Marine Corps Band—which “hires” musicians at the paygrade of E-6, waiving requirements to attend basic training and serve in more junior ranks—as a model for how cyber expertise could be brought into the military. But as a model, the Marine Band is problematic for two reasons.

First, while many members of the Marine Band serve for twenty years or even longer, the rest of the Marine Corps has a high turnover rate, with 82 percent of first term Marines declining to continue their service in 2010. This is also true of the Marines’ IT personnel, which the Corps has struggled to retain.

This problem with Marine Corps IT workers is much more representative of the challenges associated with building the cyber warrior workforce than the Marine Band. As Brig. Gen. Dennis Crall, the USMC chief information officer, describes it:

It’s been a lot easier for individuals to just migrate from one job to another without really changing their roles and responsibilities, and if I don’t have the right label on what specific task they’re performing, I can’t look at their career progression, I can’t set a pay scale. What I end up with, compounding over a number of years, is a workforce that looks one way on paper and quite different when I look at what those individuals are doing. Getting a handle on knowing what people do, making sure they’re trained and compensated properly for what they’re doing is what we’re after.

Second, the musical instruments played by the Marine Band, and any other military band, represent a highly mature technology (in fact, the saxophone, invented in 1846, ranks as one of the newest instruments a military band member might play, unless you count the Sousaphone as a new instrument rather than as an evolution of the concert tuba in 1893). When you hire a trumpet player, there are very good standards by which you can judge the quality of musicianship of the individual. When you hire a “cyber warrior” this is very different: exploits that worked a decade ago have been patched, but new zero-day exploits are just waiting to be found. This means even knowing what expertise needs to be “hired” is an immense challenge.

This problem of changing technology leading to changing work roles leading to changing personnel needs is very real, right now for the Marine Corps IT workforce. It is a problem that the Marine Band does not have to deal with as part of its talent management activities. The reason that Army Cyber has built its forces on “operational TDAs” is that a TDA (table of distribution and allowances) is a much easier document to modify than an MTOE (modified table of organization and equipment), and cyber operations require more flexibility to address the changing terrain in cyberspace. An artillery unit can fire a 155-millimeter round made decades ago, and a sapper company can utilize explosives manufactured decades ago, but a cyber operation cannot rely on decades-old code or equipment and be successful in implementing combat power through cyberspace. In ten years the Marine Band will look like it does today, but I doubt anyone is willing to make the same prediction for cyber mission force structures.

Even if the Marine Band’s members were expected to handle a much broader range of skills and constantly learn new technologies (e.g., trumpet today, trombone tomorrow), we don’t expect them to be aware of the impacts of their actions under multiple legal authorities. But we do expect our cyber warriors to be very cognizant of the murky definitions between operational authorities; the uniformed services operate under Title 10 of the US Code, while the intelligence community operates under Title 50, and both will continue to be key players in cyber operations.

Where I do agree with Mr. Bracknell is that if we do need to attract cyber talent, bringing them in along a separate training and utilization track is a perfectly fine answer. The Army’s aviation branch has had “High School to Flight School” and the Army Medical Department has used direct commissioning to fill in key skillsets to deliver military medicine. It is highly likely that we will keep a specialized recruitment and training pathway as an option for cyber warriors destined for strategic and operational units that don’t deploy as a part of the “right mix” of options to meet the needs of the force. However that answer alone doesn’t get us to the fully integrated cyber capability we will increasingly need down to the tactical edge. So we will continue to require standardized military training to teach the skills necessary to support high-intensity conflict. Some of our cyber warriors will inevitably need to be warriors.

Capt. James Armstrong is an electronic warfare officer assigned to Fort Gordon, Georgia. The views expressed in this article are those of the author and do not reflect the official policy or position of the Department of the Army, Department of Defense, or the US government.

1 Comment

Lew Arnold
on May 4, 2018 at 6:56 pm

In the realm of cyber/communications intrusion to support an impending combat action; it did not matter if the mission was for the NSA or the CIA or for the COCOM staff; we provided specialized and tailored training to special operations force personnel to complete or place the devices necessary for that intrusion. I agree with the author that this kind of training is extremely perishable and the technology changes every 3 years or faster.

The current military and personal staffing is geared for defense acquisition people or button-pushing monkeys and not competent technical skills. People who actually KNOW how to do things is becoming rarer. There is a huge difference between technically competent people vice people who are only competent at pushing paper (DAU plans and reports) and contracting out everything.

The personnel departments want mostly enlisted NCO "cyber-warriors" so we set up "cyber-warrior" schools to train uniforms to be hackers. Four to 12 weeks in Keesler, 8 weeks at Hurlbert, and another longer stint somewhere else and the USAF still has "cyber-warriors' who only know Microsoft and IP networking. Everything else they know is mostly wrong and still retention is low. With 2 to 4 years of work experience, all of these people can make 50% more on the outside and if they do get a college degree and fill in their technical KSA holes then a Colonels or GS-15 pay scale is not enough to recruit or retain them. Not when the Fortune 200 is paying $150k to $240k for people with industrial security certifications.

Even our top defense contractors who have been squeezed on compensation for years is having difficulty because their contracts do not support cybersecurity pay scales above $150k.

The sad thing is that in my 42 years of engineering and computer and network defense (CND) career – I've known only one person who ever worked for the DoD in a ‘cyber-warrior’ capacity that I really respected. The other 15 people who I've really respected — none worked in cyber coded billets yet all of them were very scary in knowledge and abilities. All of them had undergraduate degrees in mathematics, or mostly Electrical or Electronics Engineering. All of them had graduate degrees in Engineering. They knew hardware, firmware and software.

How do we recruit people like this? When our Standard Desktops are an insult to technical professionals. When we cannot get non-Microsoft software approved to install on the computers so these people can do their job.

In the USAF Radio and RF Engineers cannot get even DISA Spectrum XXI software approved for usage. Not invented here crap by our very own button pushing monkey cyber-warriors. Our own, one-shoe fits all, cyber policies is a huge negative for retention.

Especially when it takes 8 hours to do a cyber-defense task with the crap software that is approved, vice 20 minutes to complete the same work task with commercially available and non-Microsoft software.

I've sat in briefing rooms and listened to J6 career field Colonels and GM-15's reject approval (again) to authorize AutoCAD, or MicroStation or SolidEdge CAD/CAE software for Engineers. Across the last 2 decades I've sat in complete disbelief and disappointment when they said that since the Standard Desktop came with Microsoft Paint that was all the graphics program they needed. They reasoned that Paint is a graphics program and so is AutoCAD – and they are equivalent…

The sheer stupidity level in leadership… the PowerPoint leaders — generates a severe negative retention rate all by itself.

My career was and is always been Engineering. My job has been with either the USN or USAF or a TLA or a Fortune 20 company. A job is NOT a career for highly skilled technical professionals. I've never thought of the DoD or USAF as a career.

The DoD is just a job. So how do we recruit people for the job and keep them interested enough that they keep coming back across their career?

I kept coming back because I enjoyed the generally better class of people inside the DoD.

How do we get the highly skilled and competent kids who are making $220K with Google in Shreveport Louisiana to cross the river to Bossier City and take a GS-12 step 1 job ($63,600 per year) with either Global Strike Command or DHS’s Data and Network Operations Center?

Search

Follow Us

Disclaimer

The articles and other content which appear on the Modern War Institute website are unofficial expressions of opinion. The views expressed are those of the authors, and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.

The Modern War Institute does not screen articles to fit a particular editorial agenda, nor endorse or advocate material that is published. Rather, the Modern War Institute provides a forum for professionals to share opinions and cultivate ideas. Comments will be moderated before posting to ensure logical, professional, and courteous application to article content.